Tests

Author: n1v0lg

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java

@@ -211,6 +211,53 @@ public void testGetUserPrivileges() throws IOException {
               "applications": [],
               "run_as": []
             }""");
+
+        upsertRole("""
+            {
+              "cluster": ["all"],
+              "indices": [
+                {
+                  "names": ["*", "idx"],
+                  "privileges": ["read", "manage"],
+                  "allow_restricted_indices": false
+                },
+                {
+                  "names": ["idx", "*"],
+                  "privileges": ["manage_data_stream_lifecycle"],
+                  "allow_restricted_indices": false
+                },
+                {
+                  "names": ["*", "idx"],
+                  "privileges": ["write"],
+                  "allow_restricted_indices": true
+                },
+                {
+                  "names": ["idx", "*"],
+                  "privileges": ["manage"],
+                  "allow_restricted_indices": true
+                }
+              ]
+            }
+            """, "role");
+        expectUserPrivilegesResponse("""
+            {
+              "cluster": ["all"],
+              "global": [],
+              "indices": [
+                {
+                  "names": ["*", "idx"],
+                  "privileges": ["manage", "manage_data_stream_lifecycle", "read"],
+                  "allow_restricted_indices": false
+                },
+                {
+                  "names": ["*", "idx"],
+                  "privileges": ["manage", "write"],
+                  "allow_restricted_indices": true
+                }
+              ],
+              "applications": [],
+              "run_as": []
+            }""");
     }
 
     public void testHasPrivileges() throws IOException {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -794,7 +794,7 @@ static GetUserPrivilegesResponse buildUserPrivilegesResponseObject(Role userRole
             }
         }
 
-        final LinkedHashSet<GetUserPrivilegesResponse.Indices> indices = new LinkedHashSet<>();
+        final Set<GetUserPrivilegesResponse.Indices> indices = new LinkedHashSet<>();
         for (IndicesPermission.Group group : userRole.indices().groups()) {
             indices.add(toIndices(group));
         }
@@ -843,27 +843,38 @@ static GetUserPrivilegesResponse buildUserPrivilegesResponseObject(Role userRole
         );
     }
 
-    private static LinkedHashSet<GetUserPrivilegesResponse.Indices> combineIndices(
-        LinkedHashSet<GetUserPrivilegesResponse.Indices> indices
-    ) {
-        final LinkedHashMap<Tuple<Boolean, Set<String>>, GetUserPrivilegesResponse.Indices> combinedIndices = new LinkedHashMap<>();
+    /**
+     * Due to selector-processing during role building
+     * (see {@link org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege#resolveBySelectorAccess(Set)}),
+     * it is possible that multiple index groups with the same indices exist with different privilege sets. To provide a cleaner response,
+     * this method combines them into one group.
+     */
+    private static Set<GetUserPrivilegesResponse.Indices> combineIndices(Set<GetUserPrivilegesResponse.Indices> indices) {
+        final Map<Tuple<Boolean, Set<String>>, GetUserPrivilegesResponse.Indices> combinedIndices = new LinkedHashMap<>();
         for (GetUserPrivilegesResponse.Indices index : indices) {
             final GetUserPrivilegesResponse.Indices existing = combinedIndices.get(
                 new Tuple<>(index.allowRestrictedIndices(), index.getIndices())
             );
             if (existing == null) {
                 combinedIndices.put(new Tuple<>(index.allowRestrictedIndices(), index.getIndices()), index);
             } else {
-                Set<String> combined = new LinkedHashSet<>(existing.getPrivileges());
-                combined.addAll(index.getPrivileges());
-                assert existing.allowRestrictedIndices() == index.allowRestrictedIndices();
-                assert Objects.equals(existing.getFieldSecurity(), index.getFieldSecurity());
-                assert Objects.equals(existing.getQueries(), index.getQueries());
+                Set<String> combinedPrivileges = new HashSet<>(existing.getPrivileges());
+                combinedPrivileges.addAll(index.getPrivileges());
+                boolean flsDlsMatch = Objects.equals(existing.getFieldSecurity(), index.getFieldSecurity())
+                    && Objects.equals(existing.getQueries(), index.getQueries());
+                assert existing.getIndices().equals(index.getIndices())
+                    && existing.allowRestrictedIndices() == index.allowRestrictedIndices()
+                    // due to collation & selector resolution code, fls and dls definitions are always the same if the indices match
+                    && flsDlsMatch;
+                if (false == flsDlsMatch) {
+                    // if the above invariant is violated, due to a bug, bail and return original indices (these will still be correct)
+                    return indices;
+                }
                 combinedIndices.put(
                     new Tuple<>(index.allowRestrictedIndices(), index.getIndices()),
                     new GetUserPrivilegesResponse.Indices(
                         index.getIndices(),
-                        combined,
+                        combinedPrivileges,
                         index.getFieldSecurity(),
                         index.getQueries(),
                         index.allowRestrictedIndices()

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java

@@ -1415,6 +1415,82 @@ public void testBuildUserPrivilegeResponse() {
         }
     }
 
+    public void testBuildUserPrivilegeResponseCombinesIndexPrivileges() {
+        final BytesArray query = new BytesArray("""
+            {"term":{"public":true}}""");
+        final Role role = Role.builder(RESTRICTED_INDICES, "test", "role")
+            .add(IndexPrivilegeTests.resolvePrivilegeAndAssertSingleton(Sets.newHashSet("read", "write")), "index-1")
+            .add(IndexPrivilege.ALL, "index-2")
+            .add(
+                new FieldPermissions(new FieldPermissionsDefinition(new String[] { "public.*" }, new String[0])),
+                Collections.singleton(query),
+                IndexPrivilege.MANAGE,
+                true,
+                "index-1",
+                "index-2"
+            )
+            .add(
+                new FieldPermissions(new FieldPermissionsDefinition(new String[] { "public.*" }, new String[0])),
+                Collections.singleton(query),
+                IndexPrivilegeTests.resolvePrivilegeAndAssertSingleton(Sets.newHashSet("read", "write")),
+                true,
+                "index-2",
+                "index-1"
+            )
+            .add(
+                new FieldPermissions(new FieldPermissionsDefinition(new String[] { "public.*" }, new String[0])),
+                Collections.singleton(query),
+                IndexPrivilegeTests.resolvePrivilegeAndAssertSingleton(Sets.newHashSet("read_failure_store", "manage_failure_store")),
+                true,
+                "index-2",
+                "index-1"
+            )
+            .add(
+                FieldPermissions.DEFAULT,
+                null,
+                IndexPrivilegeTests.resolvePrivilegeAndAssertSingleton(Sets.newHashSet("read_failure_store")),
+                false,
+                "index-2",
+                "index-1"
+            )
+            .build();
+
+        final GetUserPrivilegesResponse response = RBACEngine.buildUserPrivilegesResponseObject(role);
+
+        final GetUserPrivilegesResponse.Indices index1 = findIndexPrivilege(response.getIndexPrivileges(), Set.of("index-1"), false);
+        assertThat(index1.getIndices(), containsInAnyOrder("index-1"));
+        assertThat(index1.getPrivileges(), containsInAnyOrder("read", "write"));
+        assertThat(index1.getFieldSecurity(), emptyIterable());
+        assertThat(index1.getQueries(), emptyIterable());
+
+        final GetUserPrivilegesResponse.Indices index2 = findIndexPrivilege(response.getIndexPrivileges(), Set.of("index-2"), false);
+        assertThat(index2.getIndices(), containsInAnyOrder("index-2"));
+        assertThat(index2.getPrivileges(), containsInAnyOrder("all"));
+        assertThat(index2.getFieldSecurity(), emptyIterable());
+        assertThat(index2.getQueries(), emptyIterable());
+
+        Set<GetUserPrivilegesResponse.Indices> actualIndexPrivileges = response.getIndexPrivileges();
+        assertThat(actualIndexPrivileges, iterableWithSize(4));
+        final GetUserPrivilegesResponse.Indices index1And2 = findIndexPrivilege(actualIndexPrivileges, Set.of("index-1", "index-2"), true);
+        assertThat(index1And2.getIndices(), containsInAnyOrder("index-1", "index-2"));
+        assertThat(index1And2.getPrivileges(), containsInAnyOrder("read", "write", "read_failure_store", "manage_failure_store", "manage"));
+        assertThat(
+            index1And2.getFieldSecurity(),
+            containsInAnyOrder(new FieldPermissionsDefinition.FieldGrantExcludeGroup(new String[] { "public.*" }, new String[0]))
+        );
+        assertThat(index1And2.getQueries(), containsInAnyOrder(query));
+
+        final GetUserPrivilegesResponse.Indices index1And2NotRestricted = findIndexPrivilege(
+            actualIndexPrivileges,
+            Set.of("index-1", "index-2"),
+            false
+        );
+        assertThat(index1And2NotRestricted.getIndices(), containsInAnyOrder("index-1", "index-2"));
+        assertThat(index1And2NotRestricted.getPrivileges(), containsInAnyOrder("read_failure_store"));
+        assertThat(index1And2NotRestricted.getFieldSecurity(), emptyIterable());
+        assertThat(index1And2NotRestricted.getQueries(), emptyIterable());
+    }
+
     public void testBackingIndicesAreIncludedForAuthorizedDataStreams() {
         final String dataStreamName = "my_data_stream";
         User user = new User(randomAlphaOfLengthBetween(4, 12));
@@ -2017,6 +2093,21 @@ private static RequestInfo createRequestInfo(TransportRequest request, String ac
         );
     }
 
+    private GetUserPrivilegesResponse.Indices findIndexPrivilege(
+        Set<GetUserPrivilegesResponse.Indices> indices,
+        Set<String> indexNames,
+        boolean allowRestrictedIndices
+    ) {
+        return indices.stream()
+            .filter(
+                i -> i.allowRestrictedIndices() == allowRestrictedIndices
+                    && i.getIndices().containsAll(indexNames)
+                    && indexNames.containsAll(i.getIndices())
+            )
+            .findFirst()
+            .get();
+    }
+
     private GetUserPrivilegesResponse.Indices findIndexPrivilege(Set<GetUserPrivilegesResponse.Indices> indices, String name) {
         return indices.stream().filter(i -> i.getIndices().contains(name)).findFirst().get();
     }